By Bob Hickok
February 08, 2019
Many banks rely heavily on a third party for their IT work, which is understandable given their resources. However, banks or their security testers also need to know how to check on that third party’s work, and that is often where the gaps exist.
An example of this we’ve seen at many banks is with security cameras and security access systems, particularly if the bank has gone through a replacement of their security systems through a building project or acquisition. Many times, those cameras and/or locks are easily accessed by unauthorized people, because while the security system vendors may or may not have created user logins for the bank to use, they often leave the admin accounts at default or leave the admin passwords blank. In one instance, it took us about a minute total to scan the $300 million bank’s network with a free tool and find and access some interesting devices with a web browser. We then put the brand and model number into Google and found the default admin user and password, which allowed us to log in with complete administrator access. The security officer at the bank had told by the security company that the devices were not accessible from anywhere except at their PCs using a special program. They were understandably frustrated with and grateful for our discovery.
Software patching also continues to be a problem at many banks, especially when a third party is responsible for it. Patching problems include Microsoft apps and Windows itself, but it is also a big problem in non-Microsoft apps like Java, Adobe Reader, Adobe Flash Player and others that we use when surfing the web. The vulnerabilities in these apps have been exploited in most of the biggest breaches we’ve heard about worldwide in the past decade.
Other Systems at Risk
There are also other types of systems for which vendor default credentials are frequently left in place, making unauthorized access to systems and data a simple matter. These can include storage systems, scanners, phone systems, network switches and routers, among others. Access to these systems could give a person the power to delete all the bank’s data storage. Smart TVs or electronic signs can also be hacked easily, giving someone the chance to display malicious content in offices or outdoor signs followed by changing the password and locking out the owner of it.
Gain Peace of Mind
Carefully performed vulnerability assessments and security testing can help you know that your bank is getting its money’s worth from IT investments. The goal of such an assessment is not to question or challenge the relationship you have with your vendors, but rather to help you gain confidence that your technology and information is being handled in the safest possible manner.